Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges required; pure availability impact via kernel crash; no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
If queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a NULL pointer dereference running netif_napi_del() for RX queue NAPIs since netif_napi_add() has never been executed to this particular RX NAPI. The issue is due to the early ndesc initialization in airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc value to check if the queue is properly initialized. Fix the issue moving ndesc initialization at end of airoha_qdma_init_tx routine. Move page_pool allocation after descriptor list allocation in order to avoid memory leaks if desc allocation fails.
AnalysisAI
NULL pointer dereference in the Linux kernel's airoha QDMA network driver crashes the kernel when RX queue initialization fails mid-way through allocation. The flaw exists in airoha_qdma_init_rx_queue() where early ndesc initialization causes the cleanup routine to call netif_napi_del() on NAPI structures never registered via netif_napi_add(), dereferencing a null pointer and causing a local denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three conditions must all be met simultaneously: (1) the target system must have Airoha QDMA-based network hardware with the airoha kernel driver loaded - systems without this hardware are completely unaffected regardless of kernel version; (2) the attacker must have local system access with at least low-level privileges (PR:L per CVSS); (3) a memory allocation failure must occur specifically during airoha_qdma_init_rx_queue() for either the queue entry array or the DMA descriptor list - this is an error path condition, not the normal execution path, requiring either natural memory exhaustion or deliberate memory pressure. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is consistent with the described impact: local access with low privileges can trigger a kernel availability impact (crash) with no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with low-privilege access on a device using Airoha QDMA-based networking hardware - such as certain MediaTek-based routers or embedded Linux platforms - applies memory pressure to exhaust available memory, then triggers reinitializion of the airoha network interface. The allocation failure in airoha_qdma_init_rx_queue() invokes cleanup before NAPI registration, dereferencing a null pointer and crashing the kernel. … |
| Remediation | Upstream fix available via kernel stable git at https://git.kernel.org/stable/c/d36be272adda7f313e39dd118086955d993bf6a7, https://git.kernel.org/stable/c/4d4acfa348a1d8c0941004823662ede0fdb5dea5, https://git.kernel.org/stable/c/14dc48e5ba73d5c69559bf1a1a6884f7843aade7, and https://git.kernel.org/stable/c/379050947a1828826ad7ea50c95245a56929b35a. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39833
GHSA-qvrw-vpg6-fx6m